Access control system

ABSTRACT

A device is described that includes a first microprocessor configured for interfacing with a digital access control backend, and a second microprocessor configured for dedicated communications with an access control manager device backend. The first microprocessor is a master device that controls the operation of the second microprocessor as a secondary device. The proposed device is configured for operation of the first microprocessor and the second microprocessor at low clock speeds and to maintain a hash segregation between locally received data sets and data sets transmitted to an external authentication system.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.17/026,144, filed Sep. 18, 2020, which is a non-provisional of, andclaims all benefit, including priority to U.S. Application No.62/901,978, filed Sep. 18, 2019, entitled “ACCESS CONTROL SYSTEM”, allof which are incorporated herein by reference in their entirety.

This application is related to U.S. application Ser. No. 16/683,858,filed Nov. 14, 2019, entitled “SECURE COMMUNICATION PLATFORM,incorporated herein by reference in its entirety.

FIELD

Embodiments of the present disclosure relate to the field of accesscontrol, and more specifically, embodiments relate to devices, systemsand methods for access control using reduced computing capabilitycomputing devices (such as microprocessors and/or microcontrollers).

INTRODUCTION

Access control management systems (ACMs) are often configured for usageon a legacy communications protocol.

Legacy access control systems, in some instances, rely on the physicalsecurity provided by a direct, hard-wired connection (e.g., Wiegand,OSDP, etc.) between the components of the access control system and theassociated access control readers (e.g., RFID card readers, mobilecredential readers, PIN pads, etc.). For example, the Wiegand interfaceis a wiring protocol that utilizes electrical effects that occur duringa short timeframe for signalling (e.g., when a magnetic strip card ispresented to a reader device, a series of bits are signalled throughmodifications of electric current during switches of magnetic state, orvia radio frequency identification (RFID) protocols that are used togenerate corresponding electrical signals, for example, throughinduction induced on electronic components of an access badge).

Legacy ACMs are prevalent in facility securement. These legacy ACMstypically operate with a set of corresponding access control tokenswhich are issued to individuals who are authorized to access controlledresources (e.g., enter doors, open data server cabinets, generateauthenticated login sessions at computer terminals). The access controltokens can include access fobs (e.g., storing a code accessible by nearfield communications or inductive coupling). The legacy existingapproach presents significant limitations, both in the requirement torun dedicated wiring throughout the building, and that the maximumtypical operating distance is less than 100 meters.

While the legacy systems may be outdated, the fixed cost of installationhas already been incurred and it may be useful to retrofit and modernizethe existing infrastructure.

SUMMARY

It may be desirable to upgrade or retrofit legacy access control devicessuch that improved digital rules-based systems can interact with thelegacy access control devices.

As described herein, the upgrade or retrofit is not trivial as technicalproblems persist in respect of technical signalling challenges.Furthermore, from a practical perspective, the upgrade or retrofit ispotentially costly as a large number of devices may be needed, and theremay be a desire to utilize lower cost and complexity by incorporatinglow power/low clock speed microprocessors.

While there may be legacy wireless solutions, they typically rely onrelatively short-range radio protocols, such as IEEE 802.15, which caneliminate some of the overhead of running existing wiring, butfurther-reduces the maximum distance between access control hubs and theassociated access control readers to a maximum typical operatingdistance of 10-20 meters. Such a short distance is not desirable andlimits the potential application of the system.

A retrofit improvement would allow, for example, technology-basedrestrictions, such as the requirement to have dedicated wiring and ashort maximum operating distance, to be overcome. The retrofitimprovement includes intercepting signals bound for or from legacysystems, and adding improved infrastructure to utilize, combine, expand,and/or add functionality to the legacy systems.

For example, the legacy systems may be coupled with modernized digitalbackend systems that can provide additional layers of security,including beacon based security, mobile credentials (e.g., those storedon smartphones), integration with directory services, dynamic securityshifts (e.g., raised security requirements responsive to a detectedbreach of a similar technology at an unrelated site detected throughnews alerts), dynamic failovers (e.g., communications outage, poweroutage, natural disaster), among others.

The retrofit can further allow the overcoming of prior technologicalbarriers, such as wire-based distance limitations (e.g., adding a remotebackcountry toolshed accessible to repair technicians to a securityinfrastructure to be monitored alongside city-based premises), amongothers. The retrofit also adds the potential for non-security basedintegration extensibility, such as adding well-ness checks (e.g.,temperature monitoring), well-ness declarations, travel-baseddeclarations, and verification of same prior to provisioning access, forexample, by cross-referencing location-based data or personnel records.

Other potential retrofits include safety-based retrofits (e.g., prior tolong-haul truck driver gaining access to a vehicle, alcohol testing viaa breath test, or rest/sleep tracking determinations may be required toaid in improving transportation safety). Retrofits can extendfunctionality in respect of specific use cases, for example, where theidentity can be extended to activities associated with secured elements,such as digital evidence lockers adapted for anti-tampering and improvedmonitoring for law enforcement.

However, several technical challenges arise that are addressed byvarious embodiments described herein. A technical challenge that ariseswith using legacy communications protocols is that the speed at whichthe series of bits are signalled through modifications of electriccurrent during the switches of magnetic states requires high timingaccuracy by a coupled microprocessor. For example, the width and timingof pulses can be critical.

The technical signalling problem associated with legacy systems raisesdue to legacy access control tokens transmitting their payloadasynchronously, for example, via a one-way RFID protocol. This meansthat the transmitting RFID card, keyfob or similar device is unaware ofthe receiver's state, and, in particular, it is unaware of thereceiver's immediate willingness or ability to receive the transmittedsignal, and the receiver is unable to ask the transmitter to pause,repeat or change the speed of the transmission. If the receiver is notimmediately able to receive every transmitted value, then one or moreparts of the transmission will be lost and unrecoverable (e.g., unableto interpret or incorrectly interpreted). These errors in reception cancause the legacy access control system to either deny entry to anotherwise-authorized individual, could incorrectly raise monitoringalarms related to invalid access attempts.

For low power microcontrollers (e.g., those designed to be operatedusing portable batteries or in regions where power is not steadilyavailable), the controllers have slower clock speeds (e.g., 160 MHz or16 MHz). As the period of a clock cycle is the inverse of the clockspeed, the clock cycles of the low power microcontrollers can becomputationally long.

While a high power processor can provide enough head room, the longclock cycles of the low power microcontrollers causes a technicalproblem in relation to achieving the high timing accuracy required bylegacy communications protocols, especially where the low powermicrocontrollers are conducting other functions or the protocol requiresnarrow pulses (e.g., to provide voltage pulldowns to signal specificbits at approximately 50 us—a single missed pulldown could result in anerror). Legacy access control systems make use of door controllers thattypically service many readers, which means that interface devices suchas this must have the capability of receiving multiple, simultaneoussignals.

With typical clock speeds and door configurations, this means that alow-power microprocessor would be required to respond to any incomingbits within a small number of clock cycles; during this time themicrocontroller must detect a level-change on the Wiegand input, processa software interrupt, sample its ADC to determine the level of the line(“0” or “1”), store the result in an internal data structure, reset thesoftware interrupt settings, and return from the interrupt handler.

Processing simultaneous access control events (e.g., two people scanningtheir access control cards at close to the same time) can consume allavailable clock cycle budget, leaving no additional capacity for themicrocontroller to manage the other device requirements, such asmanaging network communication, eventing monitoring, encryption, etc.

When a low power microcontroller is tasked with multiple simultaneousoperations requiring use of on-board computing resources, computationaltasks may be delayed in execution, and these delays in execution (e.g.,due to execution command congestion) can lead to deleterious effects inrespect of generating electrical signals for communication with thelegacy protocols or devices due to mistiming. When a signal is mistimed,it can be read incorrectly at the receiving device, and incorrectresults may occur (e.g., denial of access to validated individual), asthe signalling does not include any error-recovery bits that can be usedto recover any lost bits.

Another technical problem that could arise in relation to digitalintegration with improved external cloud-based access control systemsincludes a need to avoid transmitting plaintext or practicallyreversible card identifiers or facility identifiers to the externalaccess control systems. By avoiding transmitting plaintext orpractically reversible card identifiers or facility identifiers, apotential attack vector is reduced as a malicious attacker cannot useinformation obtained through intercepting the network connection orthrough vulnerabilities at the external access control systems. Thistechnical problem can be addressed by the low power microcontrollersdescribed in various embodiments.

As described in various embodiments herein, a microcontroller circuitand corresponding circuit topologies, computing systems, methods ofoperation, and computer program products affixed in the form ofnon-transitory computer readable memories storing machine-interpretableinstruction sets for execution on one or more computer processors areprovided.

A proposed microcontroller circuit, in accordance with a first aspect,includes a first microprocessor configured for interfacing with adigital access control backend, and a second microprocessor configuredfor dedicated communications with an access control manager devicebackend.

This proposed approach encompasses four main signaling requirements: (i)it has to receive the incoming signal from a legacy access control token(for example, an RFID card, keyfob or similar device); (ii) it has totransform the signaled token value into a secure form, suitable forremote digital processing (e.g., via secure, one-way hashing, such asHMAC-SHA256) and then securely transmit that event information to theremote digital server (for example, via TLS-secured MQTT protocol);(iii) it has to receive back a secure authentication confirmation fromthe remote digital server, which must be decrypted, decoded andprocessed (for example, via TLS-secured MQTT protocol); and, (iv) itmust then recreate and transmit the original legacy access control tokenonwards to the legacy access control system, using the precise formatand signal timing that the legacy access control system is configured toaccept.

In some embodiments, legacy access control devices are not only adaptedfor retrofit to enable interoperability with improved digital systems,but the access control is extended in respect of adding interconnectionsto remote devices that could otherwise be impractical to connect. Forexample, access control devices can be extended to vehicles, remotefacilities (e.g., an equipment shed that would otherwise be impracticalto connect via physical wiring), among others.

The first microprocessor (e.g., an ESP32 system on a chipmicroprocessor) is a primary (e.g., master) device that controls theoperation of the second microprocessor (e.g., an ATMega168microcontroller having general purpose input/output pins) as a secondarydevice adapted to receive and process instructions received from theprimary device.

In particular, the first microprocessor is adapted for conductingdigital communications protocols and credential transformationoperations. The second microprocessor emulates signals based on commandinstructions received from the first microprocessor, the emulatedsignals used for communicating with a legacy ACM system. The firstmicroprocessor, in some embodiments, has greater computing capabilitythan the second microprocessor. Because the second microprocessor isdedicated to communications across the signalling protocol, its abilityto provide correctly timed signals is improved.

To address the signalling problem, wherein a multi-tasking receiver isrequired to be immediately ready to receive an incoming signal at anypoint in time, the proposed design of an embodiment provides onemicrocontroller that is always ready to process, decode and validate theincoming signals, and generate the timing-dependent outgoing signals,while the other microprocessor (e.g., secondary microprocessor) is ableto handle the remaining work of communication with the remote digitalserver.

This eliminates the need to build the solution on larger, more-powerfulCPUs that would otherwise need to be scaled for peek demand, which is asignificant benefit in both the costs associated with higher-specdevices and the power requirements associated with higher-clockrate CPUs(as the power consumption requirements of a CPU scale approximately withthe square of the clockspeed, which means that an implementation thatrequires 2 times the CPU speed will require 4 times the power in orderto run the same application, which can significantly limit theapplication for solutions that are mobile or may not otherwise haveaccess to continuous external power).

A microcontroller system that incorporating the first microprocessor andthe second microprocessor provides an interface between access events(e.g., physical or virtual access events) that operate on legacy systemsand coupling them to digital backend that provides enhanced userprofile/security features. The legacy transaction protocol is translatedfor two-way communication—in one direction for transmitting accesstokens provided by users (e.g., door badging at a panel using a keyfob)and in the other direction for provisioning access (e.g., grantingaccess by releasing a magnetic lock or initiating a secured computersession on a secured graphical user interface). The system may resideon-premises such that data transferred (e.g., facility numbers, cardnumbers) can be locally stored.

The first microprocessor and the second microprocessor areelectronically coupled to one another through a messaging bus, and insome embodiments, an additional interrupt line that operates to enablethe second microprocessor to communicate event triggers to the firstmicroprocessor (e.g., instead of inefficiently polling).

An example physical access could be usage for controlling/denying entryinto a building when a key card is presented at a reader. The reader canreceive a Wiegand signal from the key card (e.g., as a magnetic strip isrun across, a series of electrical pulses are generated, or acorresponding RFID signal) and this signal is sent to the secondarymicroprocessor to decode and then the decoded message is sent to themaster microprocessor, which either authenticates locally (in someembodiments) or authenticates by sending a transformed decoded messageto an external authentication mechanism (e.g., an external server).

The reader can also receive a Bluetooth signal from a mobile device.Another example access could be usage for controlling/denying connectionto a car ignition system. Another example could be usage for reading akeyfob identifier (or some other token) from the car's system. This canbe useful in situations where the car already has a legacy keyfob systemthat has some vulnerabilities or limited utility. As described herein,the car can be extended to be covered in respect of the retrofit system,and car keyfobs can be intercepted and additional verification andauthentication is required in respect of security (e.g., addingadditional security elements due to prevalence of a suspected relayattack) or non-security-based improvements, such as safety (e.g.,alcohol testing) or rest-based requirements (e.g., coupling to a fatiguemonitor, such as a smartwatch). Another example includes control of cargarage remotes.

Upon receipt of a successful authentication message from the externalauthentication mechanism, the master microprocessor sends an instructionsignal to the secondary microprocessor to generate a correspondingsignal for controlling the access control provisioning (e.g., in alegacy communication protocol). By transforming the message such thatonly a securely-hashed version is sent to the external authenticationmechanism, the underlying decoded message is not revealed to theexternal authentication mechanism. An example virtual access couldinclude controlling/denying secured login into a restaurant cashierterminal when a server presents a key card at a reader coupled to thecashier terminal.

Secure hashing (such as, but not limited to, SHA-AES256) can be used forcommunications securement. Secure hashing and a secret key can beintegrated together, rendering it practically irreversible andanonymized.

The first microprocessor can store local secret keys on-premises, whichcan be used in conjunction with public keys to be signed and forgeneration of certificates (e.g., x509 certificates). Accordingly, ahard segregation can be established between the microcontroller systemand the external systems.

The system described herein can be used, an in embodiment, as a systemfor providing interoperable access control between a digital backendauthentication system and an access control system, the systemcomprising an interception device (e.g., having the microcontrollersystems) configured to intercept physical access requests received froma sensor and to forward the physical access requests to the digitalbackend authentication system for validation. A receiver interface canbe configured to receive authorization signal from the digital backendauthentication system to allow a physical access event to proceed; and aprotocol transformation engine can be configured to transform theauthorization signal and to transmit a transformed authorization signalto the access control system.

In another aspect, an additional interrupt connection link isestablished between the first microprocessor and the secondmicroprocessor to allow for interrupt type signals to be transmitted(e.g., to reduce a need to utilize polling, which could becomputationally costly and inefficient to operate).

In another aspect, the first microprocessor is coupled to an externalauthentication mechanism (e.g., external authentication server) andconfigured to transform received credentials from the secondmicroprocessor. Local credentials (e.g., facility number, card IDnumber) are transformed (e.g., through the use of secure hashing) priorto communication to the external authentication mechanism.

In particular, the transformation of the local credentials allows theability to avoidance of sending up plaintext/reversible localcredentials to the external authentication mechanism. By sending onlytransformed credentials, the external authentication mechanism is ableto authenticate the associated user profiles without having the abilityto observe directly the schema or underlying local access credentials.The secure hashing key is shared between the various on-premisesdevices—via a secure key-sharing algorithm (e.g., public keycryptography, or a variant of Needham-Shroeder)—so that all of thedevices can produce an identical transformation (used for later matchingthe user's physical identity to their digital identity). The secure keysharing is constructed such that an external validation system (e.g.,the cloud service) is unable to discover or recover the on-premises key.

In a further aspect, the first microprocessor is configured to maintaina rolling secret stored in a local data structure whose correspondingkey is periodically provided to the external authentication server. Byutilizing a rolling secret maintained locally, the threat of maliciousaccess event emulation at the external authentication mechanism levelcan be reduced once the rolling secret has rolled over. The rollingsecret, for example, can include a private symmetric key that is used togenerate a message to the external authentication server with the key(e.g., generated based on a magic #, a sequence #, a facility #, a card#), etc. The external authentication server receives the transformedcredentials (e.g., a securely-hashed value, generated from theunderlying credentials), which it can process and something it is notcapable of processing or generating (a token generated from the rollingsecret).

In another aspect, the first microprocessor and the secondmicroprocessor are configured for offline usage when disconnected fromthe external authentication server. The online usage capabilities can belimited. For example, the first microprocessor may be coupled to a datastorage storing a cyclical buffer of previous successful access attemptsand even if disconnected from the external authentication server, thoseauthenticated profiles, upon the first microcontroller receiving acorresponding correct input from the ACM to the second microcontroller,can generate control signals provisioning or denying access to acontrolled resource.

In another aspect, memory regions of data storage coupled to or residingon the first microprocessor can be used for avoiding the need forexplicit time stamping through a re-use of the memory region markingmechanism. This mechanism is particularly useful where the clocks on thefirst or the second microprocessor (or both) cannot be relied upon toprovide accurate timestamps (this issue arises in respect of low costand low-power implementations, such as timestamp slippage or a poorlysynchronized local clock), or if the microprocessors simply don't haveclocks.

A compiler instruction can be used to mark memory as non-initialized—oninitial power on, the system sets a flag to 0, once the system obtainsnetwork connectivity, it periodically updates a RAM based standardvariable with the time. When the system restarts, the microprocessortakes that time and loads the time into the system clock. Accordingly,the microcontroller is able to maintain a view of current time acrossreboots or software failures without a battery, clock, etc.

DESCRIPTION OF THE FIGURES

In the figures, embodiments are illustrated by way of example. It is tobe expressly understood that the description and figures are only forthe purpose of illustration and as an aid to understanding.

Embodiments will now be described, by way of example only, withreference to the attached figures, wherein in the figures:

FIG. 1 is a block schematic diagram of an example system for accesscontrol, according to some embodiments.

FIG. 2 is an example method diagram showing an example method for accesscontrol, according to some embodiments.

FIG. 3 is an example computing device, according to some embodiments.

FIG. 4 is a diagram showing an example retrofit system, according tosome embodiments.

FIG. 5 is an example block schematic showing a more complex system,according to some embodiments.

FIG. 6 is a block schematic showing a system being extended to provideprotection in respect of a vehicle, according to some embodiments.

FIG. 7 is a electrical pulse diagram of signals associated with a set ofexample doors, according to some embodiments.

FIG. 8 is a second electrical pulse diagram of signals associated with aset of example doors, according to some embodiments.

DETAILED DESCRIPTION

Legacy approaches, whether wired or wireless, suffer from limitationsthat hamper adoption of traditional physical access-control technologiesin modern, distributed corporate environments: (i) authentication ofend-users must take place at fixed locations, limiting the ability toutilize traditional physical access-control technologies in mobileapplications; (ii) those fixed locations must be in relatively closephysical proximity to the other components of the enterprise's accesscontrol system, limiting the ability to utilize traditional physicalaccess-control technologies in environments with widely-distributedassets; (iii) most existing signalling mechanisms utilized by accesscontrol systems (e.g., dedicated wiring or point-to-point wireless)cannot be monitored or protected with the infrastructure thatenterprises typically use to monitor and protect their existing digitalnetworks that connect their other data, digital-security and IoTnetworks; (iv) existing access control technologies typically requireone-to-one connections between access control readers and access controlpanels, which means that increasing the number of securedassets/access-points typically involves the significant additionalfinancial and labour cost of installing additional access controlpanels, etc.; and, (v) the one-to-one connections of existing accesscontrol technologies limit enterprises that manage multiple locationsfrom maintaining consolidated views and monitoring of access controlevents.

A technical challenge that arises with using legacy communicationsprotocols is that the speed at which the series of bits are signalledthrough modifications of electric current during the switches ofmagnetic states (or using RFID) requires high timing accuracy by acoupled microprocessor. For example, the width and timing of pulses canbe critical. This level of timing accuracy can be important, forexample, where the legacy communications protocols utilize coded signalssuch as specifically modulated radio waves (e.g., keyfobs operating at315 MHz or approximately 433 MHz), modulated, for example, usingamplitude-shift keying. In the context of RFID devices (access cards,car keyfobs, etc.), these devices simply blindly transmit signalswithout any flow control that would permit the receiver to delay orcontrol the timing of the input from the RFID devices.

The primary problem is that legacy access control tokens transmit theirpayload asynchronously, typically via a one-way RFID protocol. Thismeans that the transmitting RFID card, keyfob or similar device isunaware of the receiver's state, and, in particular, it is unaware ofthe receiver's immediate willingness or ability to receive thetransmitted signal, and the receiver is unable to ask the transmitter topause, repeat or change the speed of the transmission. If the receiveris not immediately able to receive every transmitted value, then one ormore parts of the transmission will be lost and unrecoverable.

If any portions of the transmitted signal are lost, then the receiverwill either be unable to interpret the transmitted credential, or it mayincorrectly interpret the transmitted credential value as another,shorter value (e.g., if 6 bits are lost from a 32-bit credentialtransmission, it may be incorrectly received as a different, butvalid-looking 26-bit credential transmission). These errors in receptioncan cause the legacy access control system to either deny entry to anotherwise-authorized individual, could incorrectly raise monitoringalarms related to invalid access attempts.

Additionally, in the case where a reception error causes the transmittedcredential of Person A to be misinterpreted as a different credentialvalue associated with Person B; in this case, it could inadvertentlyallow Person A to gain access to a facility with the credentials andaccess rights of Person B.

For low power microcontrollers (e.g., those designed to be operatedusing portable batteries or in regions where power is not steadilyavailable), the controllers have slower clock speeds (e.g., 160 MHz or16 MHz). Without being able to delay or control the timing of the inputfrom the RFID devices, it is challenging to utilize slower clock speedmicroprocessors as a signal mistiming can render a device inoperable orcause poor operation as signals are not processed properly.

By utilizing network communication layers (e.g., Ethernet, IEEE 802.11wireless, cellular data), a proposed microcontroller-based solution isdescribed herein that allows existing physical access control systemsand the associated access control readers (or access controllers, suchas vehicular locks, garage door openers, cabinet latches) to be readilyretrofitted to support mobile and/or geographically-dispersedenvironments with limited or without any additional changes to orreconfiguration of the existing system components. The approachesdescribed herein are adapted to address technical problems associatedwith using electronic devices having limited computationalfunctionality, such as limited power and/or clock speed.

Additionally, by utilizing network communication protocols (i.e.,TCP/IP), this proposed microcontroller-based solution allows existingphysical access control systems to be readily retrofitted to allowmonitoring and protection through an enterprise's existing networkmonitoring systems, potentially without requiring any changes (e.g.,significant changes) to the existing access control readers or systems.This allows an enhanced range of potential retrofits, including, forexample, vehicle keyfobs, storage cabinet keypads, among others.

For example, a retrofit solution described herein provides a practical,low cost approach for addressing weaknesses with existingimplementations (e.g., adding layers of security to overcome avulnerability to a keyfob “relay attack”) using low clock speedmicroprocessors. Similarly, extending functionality is also possiblewhere, for example, one wishes to add mobile credential processingcapabilities, well-ness checks, connections to actively manageddirectory service or digital security infrastructure, etc., to existinginfrastructure without needing to re-wire existing readers.

Additionally, one remotely-situated microcontroller-based device,connected to an access control reader, may be configured to readilyretrofit existing physical access control systems to permit mobileapplications, without requiring any changes to the existing accesscontrol readers or systems; it can facilitate this by securely relayingan encrypted, time-limited representation of the end-user'sauthenticated access credential to a centrally-locatedmicrocontroller-based device that is connected to the enterprise'sexisting physical access control system, using standard networkcommunication layer(s) and protocols. The microcontroller-based devicecan be electronically coupled to the access control reader, for example,as an additional component connected through wiring or wirelessconnectively that operates as an agent or intercepts signals to abackend access provisioning controller that ultimately grants or deniesaccess by controlling the operation of a door or a latch.

In an embodiment, many remotely-situated microcontroller-based devices,connected to access control readers, are configured to relay end-users'authenticated access credentials to one centrally-locatedmicrocontroller-based device connected to a single traditional accesscontrol panel, thereby eliminating or reducing the traditional scalingcosts associated with adding a large number of access points, withoutrequiring any changes to the existing access control readers or systems.

A microcontroller-based device, connected to an access control reader,may be configured to relay end-users' authenticated access credentialsto multiple microcontroller-based devices that are each connected toindividual access control systems. This can permit access events at aplethora of locations to be mirrored and consolidated into one centrallocation, without requiring any changes to the existing access controlreaders or systems, which provides for greatly-simplified, standardizedmonitoring of access events, reducing the cost and complexity ofalternative approaches for retrofits. To address the signalling problem,wherein a multi-tasking receiver is required to be immediately ready toreceive an incoming signal at any point in time, the proposed design ofvarious embodiments uses one microcontroller that is always ready toprocess, decode and validate the incoming signals, and generate thetiming-dependent outgoing signals, while the other microprocessor isable to handle the remaining work of communication with the remotedigital server.

This eliminates the need to build the solution on larger, more-powerfulCPUs that would otherwise need to be scaled for peek demand, which is asignificant benefit in both the costs associated with higher-specdevices and the power requirements associated with higher-clockrate CPUs(as the power consumption requirements of a CPU scale approximately withthe square of the clockspeed, which means that an implementation thatrequires 2 times the CPU speed will require 4 times the power in orderto run the same application, which can significantly limit theapplication for solutions that are mobile or may not otherwise haveaccess to continuous external power).

FIG. 1 is an example block schematic diagram of an example system foraccess control, according to some embodiments.

In FIG. 1 , system 100 is shown as an on-premises device that is coupledto legacy access control mechanisms on one end and coupled to anexternal verification system. Coupling to legacy access controlmechanisms is challenging with low-power or low-clock speedmicroprocessors as there is a high level of accuracy required foraccurate communications.

System 100 can also be placed on remote locations, in other embodiments,such as being coupled to vehicular locks, garage door openers,cabinets/lockers, among others. The vehicular lock system may beexpecting a coded series of pulses at a particular frequency from akeyfob to be received prior to unlocking a door or allowing ignition ofan engine.

As the period of a clock cycle is the inverse of the clock speed, theclock cycles of the low power microcontrollers can be computationallylong. While a high power processor can provide enough head room, thelong clock cycles of the low power microcontrollers causes a technicalproblem in relation to achieving the high timing accuracy required bylegacy communications protocols, especially where the low powermicrocontrollers are conducting other functions or the protocol requiresnarrow pulses (e.g., to provide voltage pulldowns to signal specificbits at approximately 50 us—a single missed pulldown could result in anerror).

In particular, when an error is encountered, the legacy system maysimply not respond or throw an error signal, resulting in an individualeither obtaining access when access is not warranted or not obtainingaccess although authenticated successfully.

A reason why low clock speed/low power microprocessors are desirable forthese applications is that it is not always possible to incur theexpense of higher power microprocessors, or that higher powermicroprocessors require increased power or cooling mechanisms.

For example, in certain situations, a low clock speed microprocessor isfavourable as it is able to operate on portable energy sources (such asbatteries) for extended periods of time (e.g., >5 days), which is adistinct advantage in locales where power is not readily or consistentlyavailable. In certain implementations, the facilities may simply nothave power outlets near the access control devices and they must operateon portable energy sources. Low clock speed microprocessors also have abenefit of being compact in volume and weight, which allows for anincreased ease of deployment.

When a low power microcontroller is tasked with multiple simultaneousoperations requiring use of on-board computing resources, computationaltasks may be delayed in execution, and these delays in execution (e.g.,due to execution command congestion) can lead to deleterious effects inrespect of generating electrical signals for communication with thelegacy protocols or devices due to mistiming. When a signal is mistimed,it can be read incorrectly at the receiving device, and incorrectresults may occur (e.g., denial of access to validated individual).

For example, a signal requiring 50+/−5 us in accuracy could be delayedin transmission due to instruction congestion/backlog. For a legacysystem where a delay in 50 us leads to a completely different signalfrom being received, there may be a corresponding inaccuracy due to thedelay at the receiver system.

As described in various embodiments herein, a microcontroller circuit100 and corresponding circuit topologies, computing systems, methods ofoperation, and computer program products affixed in the form ofnon-transitory computer readable memories storing machine-interpretableinstruction sets for execution on one or more computer processors isprovided. The machine-interpretable instruction sets can be adapted ascomputer program products for execution on the one or more computerprocessors.

The circuit 100 is adapted to address four main signaling requirements:(i) it has to receive the incoming signal from a legacy access controltoken (for example, an RFID card, keyfob or similar device); (ii) it hasto transform the signaled token value into a secure form, suitable forremote digital processing (e.g., via secure, one-way hashing, such asHMAC-SHA256) and then securely transmit that event information to theremote digital server (for example, via TLS-secured MQTT protocol);(iii) it has to receive back a secure authentication confirmation fromthe remote digital server, which must be decrypted, decoded andprocessed (for example, via TLS-secured MQTT protocol); and, (iv) itmust then recreate and transmit the original legacy access control tokenonwards to the legacy access control system, using the precise formatand signal timing that the legacy access control system is configured toaccept.

A proposed device (e.g., a microcontroller circuit) 100, in accordancewith a first aspect, includes a first microprocessor 102 configured forinterfacing with a digital access control backend 104, and a secondmicroprocessor 106 configured for dedicated communications with anaccess control manager device backend.

The first microprocessor 102 (e.g., an ESP32 system on a chipmicroprocessor) is a master device that controls the operation of thesecond microprocessor 106 (e.g., an ATMega168 microcontroller havinggeneral purpose input/output pins) as a secondary device.

In particular, the first microprocessor 102 is adapted for conductingdigital communications protocols and credential transformationoperations. The second microprocessor 106 emulates signals based oncommand instructions received from the first microprocessor 102, theemulated signals used for communicating with a legacy ACM system. Thefirst microprocessor 102, in some embodiments, has greater computingcapability than the second microprocessor 106. In another embodiment,both the first microprocessor 102 and the second microprocessor 106 canhave the same or similar computing specifications. Because the secondmicroprocessor 106 is dedicated to communications across the signallingprotocol, its ability to provide correctly timed signals is improved.

A microcontroller system 100 incorporating the first microprocessor 102and the second microprocessor 106 provides an interface between accessevents (e.g., physical or virtual access events) that operate on legacysystems and coupling them to digital backend that provides enhanced userprofile/security features.

The legacy transaction protocol is translated for two-waycommunication—in one direction for transmitting access tokens providedby users (e.g., door badging at a panel using a key fob) and in theother direction for provisioning access (e.g., granting access byreleasing a magnetic lock or initiating a secured computer session on asecured graphical user interface). The legacy transaction protocol can,in some embodiments, be based on analog signals that are shaped toreflect a digital signal being communicated. For example, the analogsignals may be reproduced with digital bits signalled throughcorresponding voltage pulldowns which signal digital bits (e.g., 0 or1).

The legacy transaction protocol may interact with specific protocolssuch that a reader will be able to read from the analog signalcharacteristics the digital signal. The digital signal can, in someembodiments, be a representation of a characteristics of the badgeaccess event device or the person associated with the access badge, suchas age, sex, title, facility code, client code, among others.

The system may reside on-premises such that data transferred (e.g.,facility numbers, card numbers) can be locally stored.

The first microprocessor 102 and the second microprocessor 106 areelectronically coupled to one another through a messaging bus 108, andin some embodiments, an additional interrupt line 110 that operates toenable the second microprocessor 106 to communicate event triggers tothe first microprocessor 102 (e.g., instead of inefficiently polling).The message bus 108 can be, for example, based on a 120 architecture.

The interrupt line 110 can be a signal path that is designed for leveltriggering or edge triggering, and for example, can be a signal pathhaving a voltage that is pulled down or up whenever an interrupt signalis being established. The interrupt signal, in this example, canindicate to the master first microprocessor 102 that an authenticationattempt is underway at the device coupled to second microprocessor 106,rather than having the first microprocessor 102 continually poll thesecond microprocessor 106 to query whether such signal is present.

An example physical access controlled by second microprocessor 106 couldbe used for controlling/denying entry into a building when a key card ispresented at a reader. When the key card (or other key token, such as akey fob) or other credentials are presented at the reader, anauthentication challenge response signal can be transmitted. Theauthentication challenge response signal can be as simple as a card ID#associated with the key card, or more complex signals such as rollingcodes that are generated based on a shared secret between the key tokenand the reader (e.g., a rolling code approach).

In legacy systems, the reader may be configured to receive a Wiegandsignal from the key card (e.g., as a magnetic strip is run across or anRFID card is presented, a series of electrical pulses are generated) andthis signal is sent to the secondary microprocessor (secondmicroprocessor 106) to decode and then the decoded message is sent tothe master microprocessor (first microprocessor 102), which eitherauthenticates locally (in some embodiments) or authenticates by sendinga transformed decoded message to an external authentication mechanism112 (e.g., an external server).

The external authentication mechanism 112 can include a cloud-basedserver implementation which is coupled to a user profile matchingengine. The cloud-based server implementation can incorporate processingrules which are adapted to generating digital rules-based architecturefor determining access provisioning decisions.

Accordingly, complex decision making can be established despite thepresence of legacy systems, and in accordance with various embodimentsherein. Complex decision making can include time-based rules, machinelearning based determinations, combinations with step up authentication(e.g., usage of combinations with other modalities where there is apotential for false positives or inconclusive authentication).

For example, a user who should otherwise be authenticated for access at8 AM attempts access at 2 AM. The system may detect a correctauthentication and key token presented at the reader, but for this userprofile, the external authentication mechanism 112 may control anadditional authentication to occur to request a fingerprint to add to anoverall holistic determination of authentication.

Upon receipt of a successful authentication message from the externalauthentication mechanism 112, the master microprocessor (firstmicroprocessor 102) sends an instruction signal to the secondarymicroprocessor (second microprocessor 106) to generate a correspondingsignal for controlling the access control provisioning (e.g., in alegacy communication protocol).

By transforming the message such that only a securely hashed version issent to the external authentication mechanism 112, the underlyingdecoded message is not revealed to the external authentication mechanism112. For example, the information is securely hashed based on a key thatis only stored on-premises and thus never transferred to the externalauthentication mechanism 112. An example virtual access could includecontrolling/denying secured login into a restaurant cashier terminalwhen a server presents a key card at a reader coupled to the cashierterminal.

The key card could provide an initial facility code and a card ID, andthis information may be received by the second microprocessor 106,decoded, and passed to first microprocessor 102. The firstmicroprocessor 102 then securely hashes and transforms the data, andonly the transformed data is sent to the external authenticationmechanism 112.

The first microprocessor 102 can store local secret keys on-premises,which can be used in conjunction with public keys to be signed and forgeneration of certificates (e.g., x509 certificates). Accordingly, ahard segregation can be established between the microcontroller systemand the external systems.

In another aspect, an additional interrupt connection link isestablished between the first microprocessor 102 and the secondmicroprocessor 106 to allow for interrupt type signals to be transmitted(e.g., to reduce a need to utilize polling, which could becomputationally costly and inefficient to operate).

This interrupt connection link is a technical improvement that isadapted for communication for controlling the second microprocessor 106.Other bus protocols (for example, I2C) have a technical deficiency asthe protocol is not adapted to allow a secondary device (e.g., a“slave”) device (such as a microcontroller receiving Wiegand signals) toinitiate communication with the primary “master” device (e.g., theprimary microcontroller).

This means that the second microprocessor 106 would normally have no wayof announcing that a new scan (e.g., card scan) has occurred. Using anaïve implementation of 120, the first microcontroller 102 would need tocontinuously poll the second microprocessor 106 to determine if anythinghas arrived. This approach would introduce two technical problems: (i)it delays the real-time processing of the user's card scan; and, (ii)the polling requests from the “master” all add additional overhead tothe second microcontroller 106, which increases the likelihood ofmissing incoming signal bits (e.g., Wiegand bits), causing amiscommunication error.

In another aspect, the first microprocessor 102 is coupled to anexternal authentication mechanism 112 (e.g., external authenticationserver) and configured to transform received credentials from the secondmicroprocessor 106. Local credentials (e.g., facility number, card IDnumber) are transformed (e.g., through the use of public key encryptionor secure hashing) prior to communication to the external authenticationmechanism 112.

In particular, the transformation of the local credentials allows theability to avoidance of sending up plaintext/reversible localcredentials to the external authentication mechanism 112. By sendingonly transformed credentials, the external authentication mechanism 112is able to authenticate the associated user profiles without having theability to observe directly the schema or underlying local accesscredentials.

In a further aspect, the first microprocessor 102 is configured tomaintain a rolling secret stored in a local data structure whosecorresponding key is periodically provided to the externalauthentication server. By utilizing a rolling secret maintained locallyand periodically transmitted, the threat of malicious access eventemulation at the external authentication mechanism 112 level can bereduced once the rolling secret has rolled over.

The rolling secret, for example, can include a private symmetric keythat is used to generate a message to the external authentication serverwith the key (e.g., generated based on a magic #, a sequence #, afacility #, a card #), etc. The external authentication server receivesthe transformed credentials (e.g., a cookie generated from theunderlying credentials), which it can process and something it is notcapable of processing or generating (a token generated from the rollingsecret).

In another aspect, the first microprocessor 102 and the secondmicroprocessor 106 are configured for offline usage when disconnectedfrom the external authentication server.

The online usage capabilities can be limited. For example, the firstmicroprocessor 102 may be coupled to a data storage storing a cyclicalbuffer of previous successful access attempts and even if disconnectedfrom the external authentication server, those authenticated profiles,upon the first microcontroller receiving a corresponding correct inputfrom the ACM to the second microcontroller, can generate control signalsprovisioning or denying access to a controlled resource.

In another aspect, memory regions of data storage coupled to or residingon the first microprocessor 102 can be used for avoiding the need forexplicit time stamping through a re-use of the memory region markingmechanism. This mechanism is particularly useful where the clocks on thefirst or the second microprocessor 106 (or both) cannot be relied uponto provide accurate timestamps (this issue arises in respect of low costand low-power implementations, such as timestamp slippage or a poorlysynchronized local clock), or if the microprocessors simply don't haveclocks.

A security log may also persist across reboots, without requiring theuse of flash memory. Flash memory is typically the only storage mediumavailable on these low-power devices (i.e., they don't have hard drives)and flash memory will burn out and become unusable after anywhere from250 k to 1M write-cycles which makes it infeasible for maintainingconstantly-changing logs.

The “typical” approach is to use a large amount of flash memory and use“wear-levelling” techniques to try to maximize the lifetime of the flashchips. The approach described herein maintains the required datastructures needed for secure operation—without the need for operationsthat ultimately degrade the on-device flash memory.

A compiler instruction can be used to mark memory as non-initialized—oninitial power on, the system sets a flag to 0, once the system obtainsnetwork connectivity, it periodically updates a RAM based standardvariable with the time. When the system restarts, the microprocessortakes that time and loads the time into the system clock. Accordingly,the microcontroller is able to maintain a view of current time without abattery, clock, etc.

In some embodiments, it is critical to maintain logs of access events,for audit and security purposes. This requires accurate timestamps to bemaintained for any access events or exceptions—especially during eventswhere someone may be attempting to tamper with the system byinterrupting network connectivity, or where mobile implementations mightnot have network connectivity (e.g., in a parking garage or remotelocation).

A naive approach would be to put a clock and a battery into thedevice—but that requires periodic maintenance of the battery (or limitsthe service lifetime of the device).

FIG. 2 is an example method diagram showing an example method 200 foraccess control, according to some embodiments, showing example steps202-210, which are non-limiting and other, different, alternate stepsare possible. At 202, a token or signals from a token are presented at alegacy reader, and the secondary (e.g., slave) limited clock speedmicroprocessor receives the signals and decodes the signals. Thesignals, for example, can include authentication short width electricalpulses from that are received at a physical token reader. These signalsare intercepted at the point of presentation and processed by thesecondary limited clock speed microprocessor.

At 204, this decoded message is then provided in the form of a decodedidentifier data value to the primary limited clock speed microprocessor.The primary limited clock speed microprocessor can interact with anexternal authentication server by first converting the decoded messageinto a hashed representation and submitting the hashed representation tothe external authentication server. By generating the hashedrepresentation, the actual identifier associated with the user'sidentifier token need not be transmitted openly to the externalauthentication server, removing a source of cybersecurity risk.

At 206, the external authentication server processes the hashedrepresentation to make an access provisioning determination. In someembodiments, this can include extended functionality prior to making thedetermination, such as controlling a mobile device to conduct otherassessments in respect of location of the mobile device, requiring theentering of a password, among others. In another embodiment, theexternal authentication server compares the user identifier against anaccess control list, such as an active directory and various logicalconditions thereof. For example, the external authentication server mayrequire that a waiver has been filed on record, or a wellnessdeclaration and temperature score below a particular threshold havingbeen saved on record. At 208, the access provisioning signal 208 isreceived by the primary limited clock speed microprocessor, which at210, controls the secondary limited clock speed microprocessor toconduct an actuation to allow access to various protected resources. Insome embodiments, instead of controlling the secondary limited clockspeed microprocessor, the primary limited clock speed microprocessoritself conduct an actuation to allow access to various protectedresources. Providing access can include unlocking a door, unlockingelectronic access to an electronic account, unlatching a cabinet door,open a garage door, unlocking a vehicle's ignition, etc.

FIG. 3 is an example computing device 300, according to someembodiments. The computing device 300 is an example microprocessor ormicrocontroller, and the device 300 can include a computer processor302, memory 304 (e.g., read only memory, random access memory), aninput/output interface 306 (e.g., I/O pins), and an interface 308 forcommunication, for example, with a message bus. The computer processor302 can be configured to interpret machine-interpretable instructionsstored on a non-transitory computer readable medium, and to execute amethod for access control in accordance with methods described inembodiments herein.

FIG. 4 is a diagram showing an example retrofit system, according tosome embodiments. In diagram 400, an existing card reader 402, isaugmented by a backend control unit 408 that can, for example, be asystem 100 that operates to intercept signals as described in variousembodiments herein. The system 100 includes at least two low clock speedmicroprocessors that operate with one another to coordinate messagingusing legacy protocols where one of the low clock speed microprocessorsis dedicated to signal emulation in respect of received signals and/oraccess control provisioning signals. Accordingly, a person may presenthis/her key card to the reader 402.

A signal may be provided, for example, through electrical coupling ofthe key card to the reader 402 (e.g., a series of electrical pulses).The signal may be intercepted by the system 100 and read by a secondary,dedicated low clock speed microprocessor for generating an identity dataobject from the information adduced (e.g., converting the series ofelectrical pulses into an identity value). This data object is thenprovided to a primary low clock speed microprocessor that generates arepresentation of this data object (e.g., a one way hashed version ofthe identity value) for transmission across network 450 to a backenddigital access control manager 104 that can be coupled to one or moreexternal databases.

For example, backend digital access control manager 104 can includedigital access controls that utilize an active directory service forimproved control and authentication of the user. In this example,backend digital access control manager 104 can interoperate with amobile device having a secure repository for credential storage 405 andrequire an increased mobile credential 406 to be asserted in certainsituations when the key card is presented to the reader 402. Forexample, this can be required at a first usage of the key card, or whena security level has been increased (e.g., a pattern of breaches havebeen noticed in the news). The mobile credential 406 can include varioustokens or data objects, such as data packets having biometricinformation, password information, etc. In some embodiments, mobilecredential 406 is related to requirements relating to wellness checks orother physical characteristics, such as requiring a declaration inrespect of recent travel, recent location information from the device(e.g., to indicate that no recent travel has occurred), temperaturereadings (e.g., from a coupled biometric device), among others.

Upon authentication, the backend digital access control manager 104 canprovide a corresponding authenticated data object to the primary lowclock speed microprocessor, which can then decode and securely transmitan instruction command to the secondary low clock speed microprocessor.In some embodiments, the secondary low clock speed microprocessor canemulate an authenticated signal based on a series of emulated codes andpulses to interoperate with the legacy system to provide access to thesecured resource (e.g., unlocking door latch or magnetic closuredevice).

In some embodiments, the device of FIG. 4 , instead of being a retrofit,can include an extension of a legacy system. In this example, a cardreader 402 can be installed at a remote site, such as an inventory shed,that can be difficult or impractical to connect via wiring. The system100 can emulate the signals to a wired panel coupled to the legacysystem to enable interoperability.

FIG. 4 is a simplified example; in some embodiments, the card reader 402is coupled to a plurality of access controllers (e.g., doors, lockers)in the legacy implementation. The signalling challenge here isexacerbated as the card reader 402 can receive multiple signals fromaccess attempts at the plurality of doors and signal timing becomes evenmore important. In such a situation, an implementation with a singlelock clock speed microprocessor may become overwhelmed by multiple tasksand may miss actuations (or even worse, misinterpret actuations andinadvertently allow access). A reader 402 to many secured access element(i.e., 1:n) situation can occur, for example, where the secured resourceis an evidence locker having many doors (e.g., evidence from crime sceneA, B, C each having their own section). Other situations are alsopossible, such as three readers 402 servicing fifteen secured resources.

FIG. 5 is an example block schematic showing a more complex system,according to some embodiments. In this example, diagram 500 shows afacility having a legacy system device 502, 509 that is extended withadditional beaconing devices 504, 510, 512. These beacon devices 504,510, 512 are utilized in conjunction, for example, with a securitycamera or motion sensor 505 and a mobile device to ensure that a coupledmobile device is in a physical vicinity of the legacy system device 502,509 in addition to simply providing a key card. This is useful where astolen key card is being utilized. By requiring the mobile device is ina physical vicinity of the legacy system device, the stolen key card ismore difficult to use without the rightful owner being present. Thelegacy system devices 502, 509 can be extended with a system 100 asdescribed in various embodiments. In an example, the legacy systemdevices 502, 509 can both be serviced by a single backend reader 402that is coupled to both and receives/processes signals from both,sending actuation signals directly to the corresponding accessprovisioning mechanism (e.g., mantrap revolving door, door latch).

The primary microprocessor can interoperate with the beacon devicesand/or a digital backend, and control the secondary microprocessor forinteroperation with the legacy system device 502, 509 (e.g., signalinterception and emulation both at the credential interaction level andthe access granting level, respectively). A series of pulses can beintercepted, processed with an additional level of scrutiny, and uponsuccessful authentication at the higher level of scrutiny, a successfulvalidation can be emulated and utilized for granting access to thesecured resource 514 (in an example, a server room). The beacon signals,for example, when received by the mobile device can be converted intodistance estimations (e.g., −25 dB, −26 dB) so that the person has anadditional level of validation by having the mobile device relay rollingcodes along with the distance estimations as part of the validationprocess.

A variation can include utilizing the system to be extended to garagedoors, remote gates, among others. Supporting remote locations requirethe devices to manage a secure, encrypted network communication (tomaintain a link to the centralized access control system). This raisessimilar technical issues as noted in various sections herein: theoverhead of managing those interactions can interfere with the hardreal-time requirements involved with capturing the incoming signals fromaccess control tokens.

As a further example, this proposed solution would allow a large numberof new access-controlled spaces to be added to an existing accesscontrol system, without requiring the corresponding costs that would betraditionally associated with expanding the central access controlsystem. In this implementation a large number of access-controlledcabinets, such as a set of evidence lockers 516, could be connected toone or more microcontroller-based devices.

Each of the evidence lockers 516 can be coupled to a legacy reader, andan additional extension may include, for example, access control devicesthat could be connected to a traditional access control reader toreceive user credentials, and a traditional PIN pad to allow the user toenter the locker number.

Once the end-user's credential is authenticated, themicrocontroller-based device would close an attached electrical relay,thereby unlocking the selected locker 516. This permits a plethora ofspaces to be securely controlled by a central access control system,without requiring any changes to the existing access control readers orsystem, and without the costs of scaling the central access controlsystem.

FIG. 6 is a block schematic showing a system being extended to provideprotection in respect of a vehicle, according to some embodiments.System 600 in this example is a premises-based security system that isextended to provide improved authentication and validation in respect ofa vehicle. In this example, a keyfob 680 can be presented to a legacyvalidation/lock device 606. The legacy validation/lock device 606, in anaïve implementation, is vulnerable to a relay attack where the keyfob680's signal is instead of being proximate, is relayed by a pair ofmalicious users operating in tandem.

The digital system 600 can be utilized along with components of thedevice described in system 100 to provide an efficient and effectiveretrofit solution to intercept and emulate signals to provide additionallayers of security or validation prior to unlocking a door or ignition.As noted herein, additional layers of validation can includedeclarations or indications in respect of rest (e.g., for truck drivers,a data object representing their sleeping/movement patterns), or inrespect of drug testing (e.g., intoxication).

In this implementation, a microcontroller-based device mounted insidethe vehicle would be attached to a traditional access control reader forreceiving end-user credentials, and a modem (e.g., cellular) for networkconnectivity back to the access control system. Once the end-user'scredential is authenticated, the microcontroller-based device wouldclose an attached electrical relay, thereby enabling the vehicle'sexisting ignition system.

Additionally, the microcontroller-based device can retain a local cacheof the end-user credential inside a local cache, to permit subsequentre-authentication of the user, even if the vehicle is outside ofcellular range (e.g., in an underground parking garage). This permitsaccess to a remote, mobile vehicle to be securely controlled by acentral access control system, without requiring any changes to theexisting access control readers or system.

As a further example, this proposed solution would allow an existingaccess control system to be extended to remote locations that cannot beserved by traditional, centralized wired/wireless solutions. In thisimplementation, a microcontroller-based device mounted at a remotelocation would be attached to a traditional access control reader forreceiving end-user credentials, and a modem (e.g., cellular) for networkconnectivity back to the access control system.

Once the end-user's credential is authenticated, themicrocontroller-based device would close an attached electrical relay,thereby unlocking the door (e.g., releasing a maglock, anelectrically-controlled door strike, or an electrically-controlledmortise lockset). This permits the remote location to be securelycontrolled by a central access control system, without requiring anychanges to the existing access control readers or system.

The system 100 provides a low cost system that can be used for a wideretrofit, and accordingly, an existing access control system to beextended into automotive vehicles, to permit those systems to controlthe remote access to vehicle fleets, in order to ensure that drivers areauthorized employees and/or have proper training (e.g., hazardousvehicle operators).

FIG. 7 is a electrical pulse diagram of signals associated with a set ofexample doors, according to some embodiments. In diagram 700, a set offour doors are shown, with pulses associated with Wiegand 0 and 1actuations.

Legacy access control systems make use of door controllers thattypically service many readers, which means that interface devices suchas this must have the capability of receiving multiple, simultaneoussignals, as shown in FIG. 7 .

FIG. 8 is a second electrical pulse diagram of signals associated with aset of example doors, according to some embodiments. In this examplediagram 800, a microcontroller is shown to be tasked with variousdecoding tasks in a short 50 us window.

With typical clock speeds and door configurations, this means that alow-power microprocessor would be required to respond to any incomingbits within a small number of clock cycles, as shown in FIG. 8 ; duringthis time the microcontroller must detect a level-change on the Wiegandinput, process a software interrupt, sample its ADC to determine thelevel of the line (“0” or “1”), store the result in an internal datastructure, reset the software interrupt settings, and return from theinterrupt handler.

As noted in this diagram 700, the pulses have very short durations oftime in which they can be processed, and a missed duration or amis-timed actuation could lead to a miscommunicated or uninterpretablesignal.

It is important to note that not all embodiments are limited to Wiegand,and other protocols that have similar timing accuracy considerations arealso contemplated. Incoming pulses can be read by the secondarymicroprocessor for decoding a message provided by a keyfob andintercepted. The secondary microprocessor can, upon a successfulauthentication, be controlled to emulate the access pulses to the legacysystem, for example, controlling electronic circuits to generate acorresponding set of pulses as if the system was encountering thekeyfob.

The term “connected” or “coupled to” may include both direct coupling(in which two elements that are coupled to each other contact eachother) and indirect coupling (in which at least one additional elementis located between the two elements).

Although the embodiments have been described in detail, it should beunderstood that various changes, substitutions and alterations can bemade herein without departing from the scope. Moreover, the scope of thepresent application is not intended to be limited to the particularembodiments of the process, machine, manufacture, composition of matter,means, methods and steps described in the specification.

As one of ordinary skill in the art will readily appreciate from thedisclosure, processes, machines, manufacture, compositions of matter,means, methods, or steps, presently existing or later to be developed,that perform substantially the same function or achieve substantiallythe same result as the corresponding embodiments described herein 5 maybe utilized. Accordingly, the embodiments are intended to include withintheir scope such processes, machines, manufacture, compositions ofmatter, means, methods, or steps.

As can be understood, the examples described above and illustrated areintended to be exemplary only.

What is claimed is:
 1. A device for controlling access to one or moreprotected resources, the device comprising: a secondary microprocessorcoupled to a physical access control device, the secondarymicroprocessor configured for receiving and decoding authenticationelectrical pulses from a user credential reader as when a usercredential interacts with the user credential reader to generatecorresponding user identifier data values, and the secondarymicroprocessor configured for transmitting electrical pulse signals toan access control management device that provisions access to the one ormore protected resources; a master microprocessor coupled to an externalauthentication server and the secondary microprocessor, the mastermicroprocessor configured to: receive the corresponding user identifierdata values; transform the user identifier data values using acryptographic function to generate a transformed representation forcommunication to the transformed representation to the externalauthentication server; receive an access provisioning signal from theexternal authentication server; and transmit an instruction signal tothe secondary microprocessor to control the secondary microprocessor toprovision access to the one or more protected resources; wherein thesecondary microprocessor and the master microprocessor are coupled toone another across a message bus connection and a separate signal path,the signal path enabling communication from the secondary microprocessorto the master microprocessor for indicating when the user credentialinteracts with the user credential reader; and wherein said usercredential is associated with an entity, and wherein receiving saidaccess provisioning signal from said external authentication server isbased on whether a mobile communication device associated with saidentity is within a threshold distance of said user credential readerwhen said user credential interacts with said user credential reader. 2.The device of claim 1, wherein the user credential is a local credentialthat is not provided to or accessible directly by the externalauthentication server.
 3. The device of claim 2, wherein thecryptographic function used to transform the local credential is aprivate symmetric key.
 4. The device of claim 2, wherein thecryptographic function used to transform the local credential is anasymmetric key.
 5. The device of claim 2, wherein the user credential islocally authenticated using a cryptographic function that uses one ormore private pre-shared keys and one or more rolling secrets.
 6. Thedevice of claim 1, wherein the user credential is combined with anadditional authentication element that is combined with the usercredential for generating the transformed representation.
 7. The deviceof claim 6, wherein the additional authentication element is requestedonly for access attempts occurring during a designated duration of time.8. The device of claim 6, wherein the additional authentication elementincludes at least one of a declaration in respect of recent travel,wellness checks, temperature readings, or recent location information.9. The device of claim 6, wherein the additional authentication elementis requested during a security level increase or a detected first usageof the user credential.
 10. The device of claim 1, wherein the one ormore protected resources include one or more access-controlled cabinetsthat are connected to at least one of the master microprocessor and thesecondary microprocessor.
 11. A method for controlling access to one ormore protected resources, the method comprising: receiving and decoding,at a secondary microprocessor coupled to a physical access controldevice, authentication electrical pulses from a user credential readergenerated when a user credential interacts with the user credentialreader to generate corresponding user identifier data values, thesecondary microprocessor configured for transmitting electrical pulsesignals to an access control management method that provisions access tothe one or more protected resources; receiving the corresponding useridentifier data values at a master microprocessor coupled to an externalauthentication server and the secondary microprocessor; transforming theuser identifier data values using a cryptographic function to generate atransformed representation for communication to the transformedrepresentation to the external authentication server; receiving anaccess provisioning signal from the external authentication server; andtransmitting an instruction signal to the secondary microprocessor tocontrol the secondary microprocessor to provision access to the one ormore protected resources; wherein the secondary microprocessor and themaster microprocessor are coupled to one another across a message busconnection and a separate signal path, the signal path enablinguni-directional communication from the secondary microprocessor to themaster microprocessor for indicating when the user credential interactswith the user credential reader; and wherein said user credential isassociated with an entity, and wherein receiving said accessprovisioning signal from said external authentication server is based onwhether a mobile communication device associated with said entity iswithin a threshold distance of said user credential reader when saiduser credential interacts with said user credential reader.
 12. Themethod of claim 11, wherein the user credential is a local credentialthat is not provided to or accessible directly by the externalauthentication server.
 13. The method of claim 12, wherein thecryptographic function used to transform the local credential is aprivate symmetric key.
 14. The method of claim 12, wherein thecryptographic function used to transform the local credential is anasymmetric key.
 15. The method of claim 13, wherein the user credentialis locally authenticated using a cryptographic function that uses one ormore private pre-shared keys and one or more rolling secrets.
 16. Themethod of claim 11, wherein the user credential is combined with anadditional authentication element that is combined with the usercredential for generating the transformed representation.
 17. The methodof claim 16, wherein the additional authentication element is requestedonly for access attempts occurring during a designated duration of time.18. The method of claim 16, wherein the additional authenticationelement includes at least one of a declaration in respect of recenttravel, wellness checks, temperature readings, or recent locationinformation.
 19. The method of claim 16, wherein the additionalauthentication element is requested during a security level increase ora detected first usage of the user credential.
 20. A non-transitorycomputer readable medium, storing machine interpretable instructionswhich when executed, cause a processor to perform a method forcontrolling access to one or more protected resources, the methodcomprising: receiving and decoding, at a secondary microprocessorcoupled to a physical access control device, authentication electricalpulses from a user credential reader generated when a user credentialinteracts with the user credential reader to generate corresponding useridentifier data values, the secondary microprocessor configured fortransmitting electrical pulse signals to an access control managementmethod that provisions access to the one or more protected resources;receiving the corresponding user identifier data values at a mastermicroprocessor coupled to an external authentication server and thesecondary microprocessor, transforming the user identifier data valuesusing a cryptographic function to generate a transformed representationfor communication to the transformed representation to the externalauthentication server; receiving an access provisioning signal from theexternal authentication server; and transmitting an instruction signalto the secondary microprocessor to control the secondary microprocessorto provision access to the one or more protected resources; wherein thesecondary microprocessor and the master microprocessor are coupled toone another across a message bus connection and a separate signal path,the signal path enabling uni-directional communication from thesecondary microprocessor to the master microprocessor for indicatingwhen the user credential interacts with the user credential reader; andwherein said user credential is associated with an entity, and whereinreceiving said access provisioning signal from said externalauthentication server is based on whether a mobile communication deviceassociated with said entity is within a threshold distance of said usercredential reader when said user credential interacts with said usercredential reader.